Sign-up

ID

VAR-201601-0604


CVE

CVE-2016-0943


TITLE

Windows and Mac OS X Run on Adobe Reader and Acrobat In Javascript API Vulnerability that circumvents execution restrictions

Trust: 0.8

sources: JVNDB: JVNDB-2016-001045

DESCRIPTION

Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC Classic before 15.006.30119, and Acrobat and Acrobat Reader DC Continuous before 15.010.20056 on Windows and OS X mishandle the Global object, which allows attackers to bypass JavaScript API execution restrictions via unspecified vectors. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the Global object. By creating a specially crafted PDF with specific JavaScript instructions, it is possible to bypass the JavaScript API restrictions. A remote attacker could exploit this vulnerability to execute arbitrary code. Adobe Reader and Acrobat are prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Adobe Acrobat DC, etc. are all products of Adobe (Adobe) in the United States. Acrobat DC is a desktop PDF solution; Acrobat Reader DC is a set of tools for viewing, printing and annotating PDF. A security vulnerability exists in several Adobe products due to the program's improper handling of Global objects

Trust: 2.61

sources: NVD: CVE-2016-0943 // JVNDB: JVNDB-2016-001045 // ZDI: ZDI-16-012 // BID: 80360 // VULHUB: VHN-88453

AFFECTED PRODUCTS

vendor:adobemodel:acrobat readerscope:eqversion:11.0.10

Trust: 1.6

vendor:adobemodel:acrobatscope:eqversion:11.0.3

Trust: 1.6

vendor:adobemodel:acrobatscope:eqversion:11.0.6

Trust: 1.6

vendor:adobemodel:acrobatscope:eqversion:11.0.2

Trust: 1.6

vendor:adobemodel:acrobatscope:eqversion:11.0.5

Trust: 1.6

vendor:adobemodel:acrobatscope:eqversion:11.0.1

Trust: 1.6

vendor:adobemodel:acrobatscope:eqversion:11.0.4

Trust: 1.6

vendor:adobemodel:acrobat readerscope:eqversion:11.0.0

Trust: 1.6

vendor:adobemodel:acrobatscope:eqversion:11.0.0

Trust: 1.6

vendor:adobemodel:acrobat readerscope:eqversion:11.0.11

Trust: 1.0

vendor:adobemodel:acrobatscope:eqversion:11.0.9

Trust: 1.0

vendor:adobemodel:acrobat dcscope:lteversion:15.006.30097

Trust: 1.0

vendor:adobemodel:acrobat readerscope:eqversion:11.0.7

Trust: 1.0

vendor:adobemodel:acrobatscope:eqversion:11.0.10

Trust: 1.0

vendor:adobemodel:acrobatscope:lteversion:11.0.13

Trust: 1.0

vendor:adobemodel:acrobatscope:eqversion:11.0.11

Trust: 1.0

vendor:adobemodel:acrobat readerscope:eqversion:11.0.3

Trust: 1.0

vendor:adobemodel:acrobat reader dcscope:lteversion:15.006.30097

Trust: 1.0

vendor:adobemodel:acrobatscope:eqversion:11.0.7

Trust: 1.0

vendor:adobemodel:acrobat dcscope:lteversion:15.009.20077

Trust: 1.0

vendor:adobemodel:acrobat readerscope:eqversion:11.0.5

Trust: 1.0

vendor:adobemodel:acrobat readerscope:eqversion:11.0.12

Trust: 1.0

vendor:adobemodel:acrobat reader dcscope:lteversion:15.009.20077

Trust: 1.0

vendor:adobemodel:acrobat readerscope:eqversion:11.0.6

Trust: 1.0

vendor:adobemodel:acrobat readerscope:eqversion:11.0.1

Trust: 1.0

vendor:adobemodel:acrobat readerscope:eqversion:11.0.9

Trust: 1.0

vendor:adobemodel:acrobatscope:eqversion:11.0.12

Trust: 1.0

vendor:adobemodel:acrobat readerscope:lteversion:11.0.13

Trust: 1.0

vendor:adobemodel:acrobat readerscope:eqversion:11.0.8

Trust: 1.0

vendor:adobemodel:acrobat readerscope:eqversion:11.0.4

Trust: 1.0

vendor:adobemodel:acrobatscope:eqversion:11.0.8

Trust: 1.0

vendor:adobemodel:acrobat readerscope:eqversion:11.0.2

Trust: 1.0

vendor:adobemodel:acrobatscope:ltversion:xi desktop 11.0.14 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat dcscope:ltversion:classic 15.006.30119 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat dcscope:ltversion:continuous track 15.010.20056 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat reader dcscope:ltversion:classic 15.006.30119 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat reader dcscope:ltversion:continuous track 15.010.20056 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:readerscope:ltversion:xi desktop 11.0.14 (windows/macintosh)

Trust: 0.8

vendor:adobemodel:acrobat reader dcscope: - version: -

Trust: 0.7

vendor:adobemodel:acrobatscope:eqversion:11.0.13

Trust: 0.6

sources: ZDI: ZDI-16-012 // JVNDB: JVNDB-2016-001045 // CNNVD: CNNVD-201601-243 // NVD: CVE-2016-0943

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-0943
value: HIGH

Trust: 1.0

NVD: CVE-2016-0943
value: MEDIUM

Trust: 0.8

ZDI: CVE-2016-0943
value: MEDIUM

Trust: 0.7

CNNVD: CNNVD-201601-243
value: MEDIUM

Trust: 0.6

VULHUB: VHN-88453
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-0943
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 2.5

VULHUB: VHN-88453
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-0943
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

sources: ZDI: ZDI-16-012 // VULHUB: VHN-88453 // JVNDB: JVNDB-2016-001045 // CNNVD: CNNVD-201601-243 // NVD: CVE-2016-0943

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-88453 // JVNDB: JVNDB-2016-001045 // NVD: CVE-2016-0943

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201601-243

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201601-243

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-001045

PATCH
title:APSB16-02url:https://helpx.adobe.com/security/products/acrobat/apsb16-02.html
Trust: 1.5
title:APSB16-02url:https://helpx.adobe.com/jp/security/products/reader/apsb16-02.html
Trust: 0.8
title:アドビ システムズ社 Adobe Reader の脆弱性に関するお知らせurl:http://www.fmworld.net/biz/common/adobe/20160114.html
Trust: 0.8
title:Multiple Adobe Product Privilege License and Access Control Vulnerability Fixesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59590
Trust: 0.6
sources:
            
            
            ZDI: ZDI-16-012 // 
            
            
            
            JVNDB: JVNDB-2016-001045 // 
            
            
            
            CNNVD: CNNVD-201601-243

EXTERNAL IDS
db:NVDid:CVE-2016-0943
Trust: 3.5
db:ZDIid:ZDI-16-012
Trust: 2.4
db:SECTRACKid:1034646
Trust: 1.1
db:JVNDBid:JVNDB-2016-001045
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-3362
Trust: 0.7
db:CNNVDid:CNNVD-201601-243
Trust: 0.7
db:BIDid:80360
Trust: 0.4
db:VULHUBid:VHN-88453
Trust: 0.1
sources:
            
            
            ZDI: ZDI-16-012 // 
            
            
            
            VULHUB: VHN-88453 // 
            
            
            
            BID: 80360 // 
            
            
            
            JVNDB: JVNDB-2016-001045 // 
            
            
            
            CNNVD: CNNVD-201601-243 // 
            
            
            
            NVD: CVE-2016-0943

REFERENCES
url:https://helpx.adobe.com/security/products/acrobat/apsb16-02.html
Trust: 2.4
url:http://zerodayinitiative.com/advisories/zdi-16-012
Trust: 1.7
url:http://www.securitytracker.com/id/1034646
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0943
Trust: 0.8
url:https://www.ipa.go.jp/security/ciadr/vul/20160113-adobereader.html
Trust: 0.8
url:http://www.jpcert.or.jp/at/2016/at160003.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-0943
Trust: 0.8
url:http://www.npa.go.jp/cyberpolice/topics/?seq=17575
Trust: 0.8
url:http://www.adobe.com
Trust: 0.3
url:http://get.adobe.com/reader/
Trust: 0.3
sources:
            
            
            ZDI: ZDI-16-012 // 
            
            
            
            VULHUB: VHN-88453 // 
            
            
            
            BID: 80360 // 
            
            
            
            JVNDB: JVNDB-2016-001045 // 
            
            
            
            CNNVD: CNNVD-201601-243 // 
            
            
            
            NVD: CVE-2016-0943

CREDITS
AbdulAziz Hariri - HPE Zero Day Initiative
Trust: 0.7
sources:
            
            
            ZDI: ZDI-16-012

SOURCES
db:ZDIid:ZDI-16-012
db:VULHUBid:VHN-88453
db:BIDid:80360
db:JVNDBid:JVNDB-2016-001045
db:CNNVDid:CNNVD-201601-243
db:NVDid:CVE-2016-0943

LAST UPDATE DATE
2024-11-23T21:43:23.928000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-16-012date:2016-01-12T00:00:00
db:VULHUBid:VHN-88453date:2016-12-07T00:00:00
db:BIDid:80360date:2016-01-14T23:58:00
db:JVNDBid:JVNDB-2016-001045date:2016-01-15T00:00:00
db:CNNVDid:CNNVD-201601-243date:2016-01-15T00:00:00
db:NVDid:CVE-2016-0943date:2024-11-21T02:42:41.093

SOURCES RELEASE DATE
db:ZDIid:ZDI-16-012date:2016-01-12T00:00:00
db:VULHUBid:VHN-88453date:2016-01-14T00:00:00
db:BIDid:80360date:2016-01-12T00:00:00
db:JVNDBid:JVNDB-2016-001045date:2016-01-15T00:00:00
db:CNNVDid:CNNVD-201601-243date:2016-01-15T00:00:00
db:NVDid:CVE-2016-0943date:2016-01-14T05:59:11.953